Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:74967 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 74084 invoked from network); 18 Jun 2014 03:59:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Jun 2014 03:59:10 -0000 Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.212.173 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 209.85.212.173 mail-wi0-f173.google.com Received: from [209.85.212.173] ([209.85.212.173:57630] helo=mail-wi0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 03/D0-01877-D8E01A35 for ; Tue, 17 Jun 2014 23:59:10 -0400 Received: by mail-wi0-f173.google.com with SMTP id cc10so6858995wib.12 for ; Tue, 17 Jun 2014 20:59:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=qijD1WC5XyiSKuRfAb85TXtp8/VS7/6nH07bcC8uSIE=; b=Me6AngrvlJYFIFA1Ig2BKL0n/kZ56S+92nay9biXdIBoEf4r+iJ94J/BJSYaRcBDuL teq9ensol7iFdTpYsanH9NpPlNuegV01voqY8nxClhmimUjTqcfjl5MhTjbWymUBD/Nz F6ij26QrB3Qk6KxBXkMFoV5/Rq9Cudlmj3jWtcG54l6YgUZDBqqYnA1RCOFMel0PxEZC xqrxZK3YKbbDRKl81wwOInHdtwsfwj+q2Yu1tOMf2X7cWHjp4xzCraEisjMKvfLd5Fac 85fPqrNB6TkhKvTlvUvC4htD6jSF2G3uRpTc0qdjcDZnBJkPrrkHjEwH7ghe6yE90kLx OoUg== X-Gm-Message-State: ALoCoQkOIt49Ab8FHCA6aiioD4fELTkNWqPXh7QcPyyEyp4TFLTDREc/R+8YwcHWdEdS8WDrKz36 X-Received: by 10.194.174.168 with SMTP id bt8mr27156742wjc.72.1403063947005; Tue, 17 Jun 2014 20:59:07 -0700 (PDT) Received: from [10.67.0.184] ([78.141.189.76]) by mx.google.com with ESMTPSA id j49sm2429249eew.32.2014.06.17.20.59.05 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 17 Jun 2014 20:59:06 -0700 (PDT) Message-ID: <53A10E88.9000109@lerdorf.com> Date: Wed, 18 Jun 2014 05:59:04 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Pierre Joye CC: PHP internals References: <53A10C5B.1000003@lerdorf.com> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] PHP6, drop open_basedir? From: rasmus@lerdorf.com (Rasmus Lerdorf) On 06/18/2014 05:57 AM, Pierre Joye wrote: > On Wed, Jun 18, 2014 at 5:49 AM, Rasmus Lerdorf wrote: > >> I think you have a very narrow view of how this feature is used. >> Security and code quality is about layers. This is a useful layer that >> helps verify that an application, or even a subset of an application, is >> only able to access a given set of directories. If something tries to >> access a file outside of the defined scope, we get an error and we know >> there is a bug in the code. I, and many companies out there, rely quite >> heavily on this feature to catch mistakes. And yes, there are ways of >> getting around it at the PHP-level if you deliberately craft your PHP >> code to do so, but that doesn't make the feature any less useful to all >> the people using it to catch non-deliberate mistakes. > > It gives a false sense of safety, and that alone for me is a good > enough reason to remove it. it is not as bad as safe_mode but simply > not good. Only to people who don't understand how it works. Let's treat our audience like grown ups, please. -Rasmus